![9
OWASP 2013 Top 10
[10] Unvalidated redirects and forwards
[9] Using components with known vulnerabilities
[8] Cross-site request forgery
[7] Missing function level access control
[6] Sensitive data exposure
[5] Security misconfiguration
[4] Insecure direct object reference
[3] Cross-site scripting (XSS)
[2] Broken authentication and session management](https://image.slidesharecdn.com/splunklivedc2016-securityhandson-2-160419151531/85/Splunk-Enterpise-for-Information-Security-Hands-On-9-320.jpg)
![10
[1] Injection
SQL injection
Code injection
OS commanding
LDAP injection
XML injection
XPath injection
SSI injection
IMAP/SMTP injection
Buffer overflow](https://image.slidesharecdn.com/splunklivedc2016-securityhandson-2-160419151531/85/Splunk-Enterpise-for-Information-Security-Hands-On-10-320.jpg)
Uploaded bySplunk
Splunk Enterpise for Information Security Hands-On
The document is a presentation on leveraging Splunk for information security, covering topics such as web attacks, lateral movement, and DNS exfiltration. It discusses various attack methodologies like SQL injection and pass-the-hash and emphasizes the importance of detecting these threats using Splunk's capabilities. The conclusion highlights the need for comprehensive detection across all phases of modern attacks and invites participants to engage further at the Splunk conference.
More Related Content
![Carlos García - Pentesting Active Directory [rooted2018]](https://cdn.slidesharecdn.com/ss_thumbnails/carlosgarcia-slides-180312234839-thumbnail.jpg?width=640&height=640&fit=bounds)
![MPLS L3 VPN Tutorial, by Nurul Islam Roman [APNIC 38]](https://cdn.slidesharecdn.com/ss_thumbnails/mplsl3vpnapnic381410820509-140915192004-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Splunk Enterpise for Information Security Hands-On
Splunk Enterpise for Information Security Hands-On
- 1. Copyright © 2016Splunk Inc. Splunk Enterprise for Information Security Hands-On Presenters: Rene Aguero & John Stoner
- 2. Copyright © 2016Splunk Inc. Intro
- 3. 3 #whoami John StonerRene Aguero •Security Markets Specialist • Splunk 1 year F50, Rapid7 4 years, IT Sec Director SoCal Banking 5 years • Offensive Security, Tipping Scales back in our Favor • MSBA, CISSP • Public Sector Security Architect • Past 12 years spent working with Federal government agencies • MSSP, Threat Intelligence, SIEM • GCIH GCIA CISSP 3
- 4. 4 Agenda Intro Web Attacks Lateral Movement DNSExfiltration Wrap-up / Q&A
- 5. Machine data containsa definitive record of all interactions Splunk is a very effective platform to collect, store, and analyze all of that data Human Machine Machine Machine
- 6. Platform for OperationalIntelligence The Splunk Portfolio Rich Ecosystem of Apps & Add-Ons Splunk Premium Solutions Mainframe Data Relational Databases MobileForwarders Syslog/TCP IoT Devices Network Wire Data Hadoop https://od-sl-dc10.splunkoxygen.com/
- 7. 7 Rapid Ascent inthe Gartner SIEM Magic Quadrant* *Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or service depicted in its research publication and not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 2015 Leader and the only vendor to improve its visionary position 2014 Leader 2013 Leader 2012 Challenger 2011 Niche Player 2015
- 8. Copyright © 2016Splunk Inc. Web Attacks
- 9. 9 OWASP 2013 Top10 [10] Unvalidated redirects and forwards [9] Using components with known vulnerabilities [8] Cross-site request forgery [7] Missing function level access control [6] Sensitive data exposure [5] Security misconfiguration [4] Insecure direct object reference [3] Cross-site scripting (XSS) [2] Broken authentication and session management
- 10. 10 [1] Injection SQL injection Codeinjection OS commanding LDAP injection XML injection XPath injection SSI injection IMAP/SMTP injection Buffer overflow
- 11. 11 Our focus SQL injection Codeinjection OS commanding LDAP injection XML injection XPath injection SSI injection IMAP/SMTP injection Buffer overflow SQL injection is a massive headache for all companies who have a database and a web interface.
- 12. 12 The anatomy ofa SQL injection attack SELECT * FROM users WHERE email='xxx@xxx.com' OR 1 = 1 -- ' AND password='xxx'; xxx@xxx.xxx' OR 1 = 1 -- ' xxx admin@admin.sys 1234 An attacker might supply: https://od-sl-dc10.splunkoxygen.com/
- 13. 13 Simple SQL Injection index=web_vulnpassword select (Starting with a simple, full-text search)
- 14.
- 15. 15 Simple SQL Injection index=web_vulnpassword select (administrator OR root OR system OR sa) | iplocation clientip | search Country=Ukraine (Furthermore, search for a privileged user and isolate the traffic from a specific country)
- 16.
- 17. 17 https://splunkbase.splunk.com/app/1528/ Search for possibleSQL injection in your events: looks for patterns in URI query field to see if anyone has injected them with SQL statements use standard deviations that are 2.5 times greater than the average length of your URI query field Macros used • sqlinjection_pattern(sourcetype, uri query field) • sqlinjection_stats(sourcetype, uri query field)
- 18. 18 Advanced SQL Injection index=web_vuln… TIP: To decode URIs you can use: | eval u = urldecode(field)
- 19. 19 Advanced SQL Injection index=web_vuln |rex field=uri `sqlinjection_rex` | search injection=* | stats count by clientip status
- 20.
- 21.
- 22. 22 Summary: Web attacks/SQLinjection SQL injection provide attackers with easy access to data Detecting advanced SQL injection is hard – use an app! Augment your WAF with enterprise-wide Splunk searches Other scenarios? Come see us at the Security Answers Booth
- 23. Copyright © 2016Splunk Inc. Lateral Movement
- 24. 24 Poking around An attackerhacks a non-privileged user system. So what?
- 25. 25 Lateral Movement Lateral Movementis the expansion of systems controlled, and data accessed.
- 26. 26 Most famous LateralMovement attack? (excluding password re-use) Pass the Hash!
- 27. 27 Detecting Legacy PtH Lookfor Windows Events: Event ID: 4624 or 4625 Logon type: 3 Auth package: NTLM User account is not a domain logon, or Anonymous Logon
- 28. 28 LM Detection: Passthe Hash source=WinEventLog:Security EventCode=4624 Authentication_Package=NTLM Type=Information
- 29.
- 30. 30 Then it gotharder • Pass the Hash tools have improved • Tracking of jitter, other metrics • So let’s detect lateral movement differently
- 31. 31 Network traffic providessource of truth I usually talk to 10 hosts Then one day I talk to 10,000 hosts ALARM!
- 32. 32 LM Detection: NetworkDestinations sourcetype="pan:traffic" | stats count dc(dest) sparkline(dc(dest)) by src_ip
- 33.
- 34. 34 LM Detection: NetworkDestinations sourcetype="pan:traffic" | bucket _time span=1d | stats count dc(dest) as NumDests by src_ip _time | stats avg(NumDests) as avg stdev(NumDests) as stdev latest(NumDests) as latest by src_ip | where latest > 2 * stdev + avg Find daily average, standard deviation, and most recent
- 35.
- 36. 36 LM Detection: NetworkDestinations – Bonus … | stats avg( eval( if(_time < relative_time(now(), “- 1d@d”), NumDests, null))) as avg …. If you are fancy, use stats, eval and the relative_time functions to ignore our recent spike. With a valid avg and stdev, yesterday’s value becomes 28 standard deviations away from normal!
- 37. 37 iz so hard…u haz magic?
- 38. 38 Summary: Lateral Movement Attackersuccess defines scope of a breach High difficulty, high importance Worth doing in Splunk Easy with UBA
- 39. Copyright © 2016Splunk Inc. DNS Exfiltration
- 40.
- 41. 41 DNS exfil tendsto be overlooked within an ocean of DNS data. Let’s fix that! DNS exfiltration
- 42. 42 FrameworkPOS: a card-stealingprogram that exfiltrates data from the target’s network by transmitting it as domain name system (DNS) traffic But the big difference is the way how stolen data is exfiltrated: the malware used DNS requests! https://blog.gdatasoftware.com/2014/10/23942-new-frameworkpos- variant-exfiltrates-data-via-dns-requests “ ” … few organizations actually keep detailed logs or records of the DNS traffic traversing their networks — making it an ideal way to siphon data from a hacked network. http://krebsonsecurity.com/2015/05/deconstructing-the-2014-sally- beauty-breach/#more-30872 “ ” DNS exfiltration
- 43. 43 https://splunkbase.splunk.com/app/2734/ DNS exfil detection– tricks of the trade parse URLs & complicated TLDs (Top Level Domain) calculate Shannon Entropy List of provided lookups • ut_parse_simple(url) • ut_parse(url, list) or ut_parse_extended(url, list) • ut_shannon(word) • ut_countset(word, set) • ut_suites(word, sets) • ut_meaning(word) • ut_bayesian(word) • ut_levenshtein(word1, word2)
- 44. 44 Examples • The domainaaaaa.com has a Shannon Entropy score of 1.8 (very low) • The domain google.com has a Shannon Entropy score of 2.6 (rather low) • A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)-890209uC.4.com has a Shannon Entropy score of 3 (rather high) Layman’s definition: a score reflecting the randomness or measure of uncertainty of a string Shannon Entropy
- 45. 45 Detecting Data Exfiltration index=brosourcetype=bro_dns | `ut_parse(query)` | `ut_shannon(ut_subdomain)` | eval sublen = length(ut_subdomain) | table ut_domain ut_subdomain ut_shannon sublen TIPS Leverage our Bro DNS data Calculate Shannon Entropy scores Calculate subdomain length Display Details
- 46.
- 47. 47 Detecting Data Exfiltration …| stats count avg(ut_shannon) as avg_sha avg(sublen) as avg_sublen stdev(sublen) as stdev_sublen by ut_domain | search avg_sha>3 avg_sublen>20 stdev_sublen<2 TIPS Leverage our Bro DNS data Calculate Shannon Entropy scores Calculate subdomain length Display count, scores, lengths, deviations
- 48. 48 Detecting Data Exfiltration RESULTS •Exfiltrating data requires many DNS requests – look for high counts • DNS exfiltration to mooo.com and chickenkiller.com
- 49. 49 Summary: DNS exfiltration Exfiltrationby DNS and ICMP is a very common technique Many organizations do not analyze DNS activity – do not be like them! No DNS logs? No Splunk Stream? Look at FW byte counts
- 50. Copyright © 2016Splunk Inc. Wrap-up / Q&A
- 51. 51 Summary Multiple phases tomodern attacks Deploy detection across all phases Also consider adaptive response! Stay abreast of modern advancements App Export https://splunk.app.box.com/SplunkLive2016Security
- 52. 52 SEPT 26-29, 2016 WALTDISNEY WORLD, ORLANDO SWAN AND DOLPHIN RESORTS • 5000+ IT & Business Professionals • 3 days of technical content • 165+ sessions • 80+ Customer Speakers • 35+ Apps in Splunk Apps Showcase • 75+ Technology Partners • 1:1 networking: Ask The Experts and Security Experts, Birds of a Feather and Chalk Talks • NEW hands-on labs! • Expanded show floor, Dashboards Control Room & Clinic, and MORE! The 7th Annual Splunk Worldwide Users’ Conference PLUS Splunk University • Three days: Sept 24-26, 2016 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP • Save thousands on Splunk education!
- 53.
- 54.
Editor's Notes
- #6 Splunk excels at creating a data fabric Machine data: Anything with a timestamp, regardless of incoming format. Throw it all in there! Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting. DETECTION NOT PREVENTION! ASSUME BREACH! So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.” So if you had a place to see “everything” that happened… ….what would that mean for your SOC and IR teams?
- #7 The Splunk platform consists of multiple products and deployment models to fit your needs. Splunk Enterprise – for on-premise deployment Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud Hunk – for analytics on data in Hadoop Splunk Mint – to get insights into data from Mobile devices The products can pull in data from virtually any source to support multiple use cases. Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
- #8 Our rapid ascent reflects the customer traction we have and value we deliver to customers – with thousands of security customers and 40% year-over-year growth, we are the fastest growing SIEM vendor in the market. 2011 was our first time in the MQ; In 2 short years we raced up to the top quadrant in the MQ.
- #10 The OWASP (Open Web Application Security Project ) Top Ten represents a broad consensus about what the most critical web application security flaws are.
- #13 A SQL injection needs just two conditions to exist – a relational database that uses SQL, and a user controllable input which is directly used in an SQL query. Injections let attackers modify a back-end statement of command through unsanitized user input. Imagine a form that accepts an email address and password then submits them to a PHP file named index.php. Instead of entering a “real” username or password, the hacker will enter a SQL command (or a JSON string in the case of a NoSQL database). This piece of malicious code is then sent to the database, which executes the command as if it were an expected string (like a username). Cybercriminals use injection attacks against databases to export data such as Personally Identifying Data (PII), to delete accounts, create bogus accounts and modify data. Injection attacks can even be used to initiate a Denial of Service (DOS) attack. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations, etc. Suppose a user supplies admin@admin.sys and 1234 as the password. The statement to be executed against the database would look something like this <CLICK> The above code can be exploited by commenting out the password part and appending a condition that will always be true. Let’s suppose an attacker provides the following input in the email address field. <CLICK> xxx@xxx.xxx' OR 1 = 1 And essentially anything for the password. <CLICK>
- #14 Under SplunkLive Security 2016 App, open Web Attacks -> Simple SQL Injection Scroll down to see search syntax and results and explanations Splunk supports the Boolean operators: AND, OR, and NOT; the operators have to be capitalized. The AND operator is always implied between terms, that is: “password select” is the same as “password AND select”.
- #16 Expand on the previous search by adding specific credentials and using iplocation, identify any attacks from the Ukraine. Also note that Splunk search terms and field values are case insensitive.
- #19 Under SplunkLive Security 2016 App, open Web Attacks -> Advanced SQL Injection Scroll down to see search syntax and results and explanations As mentioned in the intro, Splunk does not limit how you perform searches, you can use countless ways to find the same results.
- #20 This is the pattern that the SQL injection search app leverages; we will augment it to list the attackers.
- #29 Under SplunkLive Security 2016 App, open Lateral Movement -> Lateral Movement Detection: Legacy Pass the Hash Scroll down to see search syntax and results and explanations
- #33 Under SplunkLive Security 2016 App, open Lateral Movement -> Lateral Movement Detection: Network Destinations Scroll down to see search syntax and results and explanations
- #45 Under SplunkLive Security 2016 App, open DNS Exfil -> DNS Exfil: Detecting Data Exfiltration Scroll down to see search syntax and results and explanations
- #49 DNS exfil: 18k text file - Infected host is 10.124.15.193 - Connected to [$base64_encoded_subdomain].xklsl29das.chickenkiller.com - Time frame is around 1946-2134 08AUG14 20mb+ Zip file - Infected host is 10.124.15.193 - Connected to [$base64_encoded_subdomain].xklsl29das.mooo.com - Time frame is around 1853-1927 08AUG14
- #51 op
- #53 We’re headed to the East Coast! 2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics! 165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE! 30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you! Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers. Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja! REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!